thanks for your help，finally i got an acl like this:
access to dn="cn=[^,]+,ou=([^,]+),dc=com"
by dn="ou=$1,dc=com" write
by dn="cn=*,ou=$1,dc=com" read
by * none
access to *
by self write
by * none
my tree is like this:
dc=root
------ ou=a
-----cn=1
-----cn=2
-------ou=b
-----cn=1
-----cn=2
the acl had achieved these effect:
1.every node write self
2.dn like cn=1,ou=a,dc=com can read other dn on level in same group
3.dn like cn=1,ou=a,dc=com can be write by its parent node
but i have a question is :
why cn=1,ou=a,dc=com can write cn=2,ou=a,dc=com
maybe i can't understand "$1", what it represent?
best regards,
sheujun